NIST or DISA, Two Very Different Paths for Cybersecurity

Two government agencies are both developing standard expectations for cybersecurity, but though they function in parallel, application in industry may depend on whether the business model adheres more to structure or to speed.


NIST guidelines are already familiar to government and industry organizations since they are very similar to the Service Organization Control (SOC) report guidance maintained by the AICPA (American Institute of Certified Public Accountants). As with most systems designed to manage risk, NIST addresses cybersecurity risk management through a very structured framework of three components: Core Functions, Implementation Tiers, and Framework Profile.

Core Functions

According to Discussion Draft of the Framework Core, the five core functions are:

Know – Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals

Prevent –Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.

Detect –Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.

Respond – Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.

Recover -Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event.

Implementation Tiers

Implementation Tiers help an organization manage cybersecurity risks by reflecting how it implements core functions.

Framework Profile

The Framework Profile summarizes the extent to which the guidance is implemented or planned toward the organization’s goals.


DISA (Defense Information Systems Agency) is a military agency. As such, expediency is just as critical as attestation. DISA plans to streamline acquisition processes that would allow the delivery of IT capability in a shorter time period. From an industry perspective, following the DISA path may allow businesses to craft the types of contracts needed to deliver evolving IT capabilities if the stakeholders do not require NIST or SOC reports.